Internal audit department: add CAM reconciliation audit to annual control scope
Internal audit departments review contract compliance, financial controls, and operational effectiveness. Commercial lease CAM reconciliation review fits squarely within each of those three categories: it is a contract compliance test of whether landlord billing conforms to the executed lease, a financial controls review of whether variable lease cost under ASC 842 is accurately recognized, and an operational effectiveness review of whether occupancy cost management processes are identifying and recovering billing errors. I built CAMAudit to automate the document-intensive detection layer so internal auditors can focus on the professional judgment elements: risk assessment, evidence evaluation, and recommendations. This article covers how internal audit departments can add CAM reconciliation audit to their annual scope, how to structure the testing procedures, and how to document findings that meet IIA workpaper standards.
Contract compliance audit: An audit procedure that verifies amounts billed by a third party conform to the terms of an executed contract. Commercial lease CAM reconciliation audit is a contract compliance audit: the auditor compares the landlord's billed charges against the lease provisions that specify allowable expense categories, calculation methodologies, and caps. Findings are documented as variances between contract terms and actual billing.
CAM overcharge risk in the internal audit universe
A risk-based audit universe identifies audit subjects based on financial materiality, control risk, and strategic relevance. Commercial lease CAM charges appear in all three dimensions:
Financial materiality. For a company with 20 NNN lease locations at an average of $8 per square foot per year in CAM charges and an average tenant size of 5,000 square feet, the annual CAM exposure is $800,000. Even a 5% overcharge rate across the portfolio represents $40,000 in annual overpayment. That is material for most mid-market companies and reportable in an audit finding.
Control risk. The primary control gap in CAM reconciliation review is the absence of a systematic process for verifying that landlord billing conforms to lease terms. Most AP departments confirm reconciliation arithmetic and approve payment without running a lease-compliance check. The lack of a preventive control means errors persist unchallenged for the full lease term unless an audit is performed.
Strategic relevance. Under ASC 842, variable lease cost is a recognized P&L item. Systematic CAM overcharges mean the company is reporting inflated variable lease cost relative to its contractual obligations. This is a financial reporting accuracy issue that internal audit is well-positioned to identify and escalate.
IIA Standards alignment
The IIA Standards provide the framework for scoping CAM audit as an internal audit activity:
- Standard 2100 (Nature of Work): Internal audit evaluates and contributes to the improvement of risk management, control, and governance processes. Contract compliance review is within this scope.
- Standard 2120 (Risk Management): Internal audit evaluates the effectiveness of risk management processes. The absence of systematic CAM reconciliation review is a risk management gap.
- Standard 2130 (Control): Internal audit evaluates the adequacy and effectiveness of controls in responding to risks within the organization. The absence of a lease compliance control over CAM billing is an internal control gap.
CAM audit findings can be reported under the IIA finding structure (condition, criteria, cause, effect, recommendation) and included in the annual audit report.
Testing procedures for CAM reconciliation review
The following table maps CAMAudit's 14 detection rules to standard audit testing procedures:
| CAMAudit detection rule | Audit test objective | Evidence produced |
|---|---|---|
| Management fee overcharge | Verify fee percentage vs. lease cap | Dollar variance, lease citation |
| Pro-rata share error | Verify denominator and tenant SF vs. lease | Percentage variance, building area calculation |
| CAM cap violation | Verify annual increase vs. cumulative cap | Year-over-year increase calculation, cap provision citation |
| Gross-up violation | Verify occupancy threshold and expense pool | Occupancy rate comparison, methodology citation |
| Base year error | Verify base year expenses vs. lease-defined methodology | Base year comparison, exclusion list check |
| Controllable expense cap overcharge | Verify controllable CAM increase vs. cap | Controllable expense calculation, cap provision citation |
| Excluded service charges | Verify that excluded categories are not billed | Line-item classification against exclusion list |
| Landlord overhead pass-through | Verify no administrative costs in CAM pool | Overhead category identification and lease citation |
Each test produces a quantified variance and a specific lease clause citation. This is the standard evidence format for audit workpapers: the condition (the amount billed) is paired with the criterion (the lease provision establishing the correct amount).
Risk-based prioritization for CAM audit scope
Internal audit cannot audit every lease location in a large portfolio every year. A risk-scoring model identifies the highest-priority locations:
| Risk factor | Weight | Scoring criteria |
|---|---|---|
| Annual CAM exposure | High | Score 3 for >$75k, 2 for $25k-$75k, 1 for <$25k |
| Years since last audit | High | Score 3 for 5+ years, 2 for 3-4 years, 1 for 1-2 years |
| Lease complexity | Medium | Score 3 for multiple amendments + cap + gross-up, 2 for standard NNN, 1 for simple gross lease |
| Landlord profile | Medium | Score 3 for large institutional REIT, 2 for mid-size private, 1 for single-property owner |
| Prior findings history | High | Score 3 if prior findings exist, 1 if no prior findings |
Locations with composite scores of 10 or above are the annual audit priority. This framework ensures that the internal audit team focuses CAM audit resources on the locations with the greatest risk exposure.
"Internal audit teams are already doing contract compliance testing in AP and procurement. CAM reconciliation is contract compliance for the occupancy cost line. After testing reconciliation samples through CAMAudit, the detection output maps directly to standard audit workpaper format." —
Workpaper documentation standards
CAM audit findings should be documented to IIA workpaper standards. A complete CAM finding workpaper includes:
Condition. The amount billed by the landlord for the specific line item or calculation. Example: "Management fee of $47,500 was billed for the period January through December 2024."
Criteria. The specific lease provision that establishes the correct billing methodology. Example: "Section 4.2(b) of the executed lease dated [date] limits management fees to 3% of controllable CAM expenses."
Cause. Why the overcharge occurred. Example: "The landlord applied the management fee to the gross CAM expense pool rather than the controllable expense subset as required by the lease."
Effect. The dollar amount of the variance and the exposure period. Example: "The management fee overcharge for 2024 is $8,750 ($47,500 billed vs. $38,750 allowable). If this methodology has been applied since lease commencement in 2020, the cumulative exposure over 4 years is approximately $35,000."
Recommendation. The action the audit committee or management should take. Example: "Management should issue a formal dispute to the landlord within the lease's audit window, requesting a credit for the 2024 overcharge and a recalculation of prior years under the correct methodology."
CAMAudit output provides the condition and criteria elements automatically. The auditor documents cause, effect, and recommendation based on professional judgment and client context.
Implementation approach for internal audit departments
Internal audit departments can deploy CAM audit in one of three operating models:
Direct deployment. The internal audit team builds in-house capability to upload documents, review findings, and draft workpapers. This model provides maximum control and is appropriate for large companies with dedicated real estate audit resources.
Co-source with external advisor. The internal audit team partners with an external real estate advisory firm that holds a white-label CAMAudit subscription. The external advisor handles document upload and initial findings review; the internal auditor validates the findings and integrates them into the workpaper. This model is appropriate when the internal team lacks real estate lease expertise.
Fully outsourced. An external advisory firm with a white-label subscription handles the full audit and delivers findings as a client deliverable. The internal audit department validates the output and issues the finding. This is the lowest-resource model for the internal team.
For most mid-market companies, the co-source model is the most effective: the external advisor brings lease compliance expertise, and the internal auditor brings organizational context, audit standards knowledge, and the authority to escalate findings through the governance structure.
Frequently Asked Questions
Is CAM reconciliation audit within scope for an internal audit department?
Yes. CAM reconciliation audit falls within the standard internal audit scope of lease compliance testing and occupancy cost controls. The Institute of Internal Auditors (IIA) Standards recognize operational audit, contract compliance audit, and financial controls review as core internal audit activities. CAM reconciliation is a contract compliance audit: the internal audit team verifies that amounts billed by the landlord conform to the terms of the executed lease.
How does CAM overcharge risk appear in a risk-based audit universe?
CAM overcharges represent a financial reporting risk (variable lease cost under ASC 842 is misstated), a contract compliance risk (landlord is billing outside lease terms), and an occupancy cost budget risk (the company is paying more than contractually obligated). All three risk dimensions are relevant to an internal audit risk assessment. The risk is material for companies with large NNN lease portfolios where total annual CAM exposure is significant.
What testing procedures does CAMAudit support for an internal audit CAM review?
CAMAudit automates 14 specific control tests: management fee percentage compliance, pro-rata share denominator verification, CAM cap annual increase compliance, gross-up threshold and methodology compliance, base year expense verification, controllable expense cap compliance, excluded service category review, and landlord overhead pass-through detection. Each test produces a finding with a quantified variance and a specific lease clause citation, which is the standard evidence format for audit workpapers.
How should an internal audit team document CAM overcharge findings?
Internal audit findings documentation should include: (1) condition: the amount billed and the specific reconciliation line item; (2) criteria: the lease provision that establishes the correct billing methodology; (3) cause: why the overcharge occurred (calculation error, miscategorization, or deliberate methodology choice); (4) effect: the dollar amount of the variance and the exposure period; and (5) recommendation: a credit request, lease amendment discussion, or future reconciliation monitoring procedure. CAMAudit output provides the condition and criteria elements; the auditor documents cause, effect, and recommendation.
What is the IIA position on contract compliance auditing as a core internal audit activity?
The IIA Standards (specifically Standard 2100 (Nature of Work)) define internal audit scope to include evaluating and contributing to the improvement of risk management, control, and governance processes. Contract compliance audit is explicitly within this scope: verifying that vendor and landlord billing conforms to executed contract terms is a controls evaluation. CAM reconciliation audit is contract compliance audit applied to the lease obligation.
How should CAM audit be prioritized within an internal audit risk universe?
Priority is driven by materiality and control risk. Locations with annual CAM exposure above $50,000 are material for most mid-size companies. Locations where prior audits have not been performed for 3 or more years have elevated control risk because errors accumulate. Locations where the landlord is a large REIT or institutional owner that manages thousands of tenants simultaneously present elevated systematic billing risk. A risk scoring matrix using these three factors identifies the highest-priority locations for annual audit coverage.
Can internal audit use CAMAudit as a substantive test tool rather than a reliance tool?
Yes. CAMAudit outputs quantified variances with lease citations, which is substantive test evidence rather than control reliance evidence. The internal auditor uses the CAMAudit findings as primary audit evidence (condition and criteria), then performs additional procedures to assess cause, evaluate materiality, and draft the recommendation. CAMAudit does not replace professional judgment; it automates the document-intensive detection step so the auditor can focus on the higher-judgment elements of the finding.